CVE-2022-23117 — Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retr

Description

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

How to fix CVE-2022-23117

To remediate CVE-2022-23117, upgrade the affected package to a fixed version below.

—upgrade to 1.0.10 or later

Is CVE-2022-23117 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23117
PATCHgithub.com/jenkinsci/conjur-credentials-plugin
WEBgithub.com/jenkinsci/conjur-credentials-plugin/pull/19
WEBgithub.com/jenkinsci/conjur-credentials-plugin/releases/tag/conjur-credentials-1.0.10